daemon/worker: upstream's answer integrity check

diff --git a/Makefile b/Makefile
index ad3721093cd218339cae42dd145b490a8b0e415c..3948e8346db299b9456d174333d485043bfe11a4 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@ lint-lua: $(patsubst %.lua.in,%.lua,$(wildcard */*/*.lua.in))
 .PHONY: all install check clean doc info lint
 
 # Dependencies
-KNOT_MINVER := 2.6.4
+KNOT_MINVER := 2.6.7
 $(eval $(call find_lib,libknot,$(KNOT_MINVER),yes))
 $(eval $(call find_lib,libdnssec,$(KNOT_MINVER),yes))
 $(eval $(call find_lib,libzscanner,$(KNOT_MINVER),yes))

diff --git a/NEWS b/NEWS
index 3813fee1741c77447a5dfeb649464efb883ad6cf..c174516712306610d0b8027493856bee4046c54f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 Incompatible changes
 --------------------
-- minimal libknot version is now 2.6.7 to pull in latest fixes
+- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)
 
 Security
 --------

diff --git a/daemon/worker.c b/daemon/worker.c
index b3cb8196dd66db64eddd56b1af55eb14426b220b..7adc79c3470089bfdf0af08fd64912ed65c1f560 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1872,16 +1872,17 @@ static int parse_packet(knot_pkt_t *query)
 
        /* Parse query packet. */
        int ret = knot_pkt_parse(query, 0);
-       if (ret != KNOT_EOK) {
-               return kr_error(EPROTO); /* Ignore malformed query. */
-       }
-
-       /* Check if at least header is parsed. */
-       if (query->parsed < query->size) {
-               return kr_error(EMSGSIZE);
+       if (ret == KNOT_ETRAIL) {
+               /* Extra data after message end. */
+               ret = kr_error(EMSGSIZE);
+       } else if (ret != KNOT_EOK) {
+               /* Malformed query. */
+               ret = kr_error(EPROTO);
+       } else {
+               ret = kr_ok();
        }
 
-       return kr_ok();
+       return ret;
 }
 
 static struct qr_task* find_task(const struct session *session, uint16_t msg_id)
@@ -1918,7 +1919,7 @@ int worker_submit(struct worker_ctx *worker, uv_handle_t *handle,
         * or resume if this is subrequest */
        struct qr_task *task = NULL;
        if (!session->outgoing) { /* request from a client */
-               /* Ignore badly formed queries or responses. */
+               /* Ignore badly formed queries. */
                if (!query || ret != 0 || knot_wire_get_qr(query->wire)) {
                        if (query) worker->stats.dropped += 1;
                        return kr_error(EILSEQ);
@@ -1941,6 +1942,11 @@ int worker_submit(struct worker_ctx *worker, uv_handle_t *handle,
                }
                addr = NULL;
        } else if (query) { /* response from upstream */
+               if ((ret != kr_ok() && ret != kr_error(EMSGSIZE)) ||
+                   !knot_wire_get_qr(query->wire)) {
+                       /* Ignore badly formed responses. */
+                       return kr_error(EILSEQ);
+               }
                task = find_task(session, knot_wire_get_id(query->wire));
                if (task == NULL) {
                        return kr_error(ENOENT);